I was waiting for tzuk to confirm this bypass before posting here, but he seems to be taking a while to test it:http://www.sandboxie.com/phpbb/viewtopic.php?t=9812

As far as I know, these are the specific settings to bypass Sandboxie 3.52:1. Windows 7 (probably works on Windows Vista too). Windows XP seems to be immune.2. Administrator account. Doesn't work in a Standard User Account (Limited User Account).3. Sandboxie Drop Rights disabled. Doesn't work if Drop Rights is enabled.

I personally tested on 32-bit, although I'm quite sure the bypass will work on 64-bit too. Can someone test this? Thanks.

As I mentioned in the Sandboxie forum thread, I suspect this bypass has something to do with the UAC mechanism introduced in Windows Vista/7.

Stephen2 wrote:As you mentioned, Drop Rights had to be disabled or it would crash SandboxIE Start.exe

Actually, when I tested with 32-bit and Drop Rights enabled, the POC simply wouldn't work - just the same as it wouldn't work in a Standard User Account - an error message pops up saying that it doesn't have enough rights to perform the action. Are you saying that on 64-bit, it crashes instead?

ssj100 wrote:I was waiting for tzuk to confirm this bypass before posting here, but he seems to be taking a while to test it [...]

Serious problems take lots of testing. I think he's trying to find a solution before reacting in public.

ssj100 wrote:[...]Doesn't work in a Standard User Account (Limited User Account). [...][...]Doesn't work if Drop Rights is enabled. [...]

Well, the author didn't write this specifically against UAC. It was intended as an exploit against Comodo, right? Adopting it for other purposes can't be that hard. And even if UAC can't be bypassed silently; what if this is integrated into an installer you want to test?P.S.: Praise yourself lucky you're on XP. Although they seem safer, Vista and Windows7 have some really serious architectual holes in them that are covered up through obscure "security" mechanisms that are not really security boundaries. I'm seriously thinking now what my next flavor for an OS will be, but the odds are against Windows.

Regardless, I've so far concluded that this is more of a "bug" with Sandboxie on Windows 7:http://www.sandboxie.com/phpbb/viewtopic.php?p=63717#63717

I'm still scratching my head over why this POC doesn't work on Windows XP when run sandboxed in a full blown Administrator account with Drop Rights disabled. When run outside the sandbox, the POC succeeds, so it's not that the POC isn't functional on Windows XP. Could this be more of a "compatibility" issue between Sandboxie and Windows 7 itself?

p2u wrote:P.S.: Praise yourself lucky you're on XP. Although they seem safer, Vista and Windows7 have some really serious architectual holes in them that are covered up through obscure "security" mechanisms that are not really security boundaries. I'm seriously thinking now what my next flavor for an OS will be, but the odds are against Windows.

We'll see how it goes I suppose. I'm personally waiting for Windows 8 or Windows 9 before leaving XP. And happily, so is my workplace.

Theoretically (I haven't looked at the PoC): From the description of the PoC I understand that it just makes some very simple system calls, nothing more. The interesting thing is that Sandboxie is reported to crash during this experiment. Since we are talking about account creation, this would suggest that Sandboxie hooks into some of the SAM API functions, which causes an evil exception when those functions are called. As to why this happens on Vista/Win7, but not on XP: one of the possible reasons that come to mind is that as an admin on Vista and Windows 7, you can make queries and get security-related process info (the system itself allows it to happen) that is off-limits on XP (the system itself will block it from happening). That would be a good explanation of why you are "protected" on XP, but not on Vista and up. But instead of listening to my pseudo-technical babble, it would be best to ask the author of the PoC himself through PM. I see that he posts on the Sandboxie forum as well...

Update: tzuk has identified the problem and will release a Beta version to test soon:http://www.sandboxie.com/phpbb/viewtopic.php?p=63871#63871

Thanks for this problem report, I've looked into this. It was really a very small bug.

What this program does is contact the Security Account Manager (SAM) component of Windows and ask to create a new account. Sandboxie already traps this request and wants to strip Administrator group membership prior to actually issuing the request. Which is why this request is actually blocked on Windows XP.

Just before stripping group membership, Sandboxie evaluates the security token to see if this is actually necessary. This means getting information about the security token into a memory buffer. The mistake I made was to have a small memory buffer. That works fine on XP but on Vista/7 there is a lot more security information and the memory buffer was just not big enough.

I made the memory buffer larger, and that fixes the Administrator-stripping logic. Sorry about this oversight.

I am aiming to release version 3.53.01 towards the end of this week or early next week so you should be able to confirm this fix at that time.